Skip to content

docs: Re-add GKE Code Executor tool doc #677

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Sep 8, 2025
Merged

docs: Re-add GKE Code Executor tool doc #677

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
27bc4e8
[8/15] add GKE executor doc
syangx39 Aug 15, 2025
619d763
[8/15] add GKE executor doc
syangx39 Aug 15, 2025
badc8b5
[8/15] add GKE executor doc
syangx39 Aug 15, 2025
a636088
[8/15] add GKE executor doc
syangx39 Aug 15, 2025
460055f
Merge branch 'main' into main
joefernandez Aug 19, 2025
aee54d7
docs: Re-add GKE Code Executor tool doc
joefernandez Sep 8, 2025
333f33f
Merge branch 'main' into syangx39-main
joefernandez Sep 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions docs/tools/built-in-tools.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,56 @@ like calculations, data manipulation, or running small scripts.
--8<-- "examples/java/snippets/src/main/java/tools/CodeExecutionAgentApp.java:full_code"
```

### GKE Code Executor

The GKE Code Executor (`GkeCodeExecutor`) provides a secure and scalable method
for running LLM-generated code by leveraging the GKE (Google Kubernetes Engine)
Sandbox environment, which uses gVisor for workload isolation.

For each code execution request, it dynamically creates an ephemeral, sandboxed
Kubernetes Job with a hardened Pod configuration. This is the recommended
executor for production environments on GKE where security and isolation are
critical.

#### System requirements

The following requirements must be met to successfully deploy your ADK project
with the GKE Code Executor tool:

- GKE cluster with a **gVisor-enabled node pool**.
- Agent's service account requires specific **RBAC permissions**, which allow it to:
- Create, watch, and delete **Jobs** for each execution request.
- Manage **ConfigMaps** to inject code into the Job's pod.
- List **Pods** and read their **logs** to retrieve the execution result
- Install the client library with GKE extras: `pip install google-adk[gke]`

For a complete, ready-to-use configuration, see the
[deployment_rbac.yaml](https://github.com/google/adk-python/blob/main/contributing/samples/gke_agent_sandbox/deployment_rbac.yaml)
sample. For more information on deploying ADK workflows to GKE, see
[Deploy to Google Kubernetes Engine (GKE)](/adk-docs/deploy/gke/).

=== "Python"

```py
from google.adk.agents import LlmAgent
from google.adk.code_executors import GkeCodeExecutor

# Initialize the executor, targeting the namespace where its ServiceAccount
# has the required RBAC permissions.
gke_executor = GkeCodeExecutor(
namespace="agent-sandbox",
timeout_seconds=600,
)

# The agent will now use this executor for any code it generates.
gke_agent = LlmAgent(
name="gke_coding_agent",
model="gemini-2.0-flash",
instruction="You are a helpful AI agent that writes and executes Python code.",
code_executor=gke_executor,
)
```

### Vertex AI RAG Engine

The `vertex_ai_rag_retrieval` tool allows the agent to perform private data retrieval using Vertex
Expand Down